I’ve written before about the precarious state of Swedish cyber security, and I find myself coming back to the subject.

Specifically, after spending the day together with some very clever people working on the formation of Cybercampus Sweden, the question of why there’s relatively little innovation happening in this field. (Just scroll through this list for evidence).

My provisional answer, is that the question needs to be reframed. In fact there are plenty of innovative solutions out there. The real mystery is why we’re so slow to adopt them.

Like; why does 85 % of all sites on the Internet use Google Analytics, which clearly has privacy issues, when there are free open alternatives like Plausible Analytics, which doesn’t infringe on people’s privacy and still offer enough useful insights for most webmasters to do a good job?

Or why do we keep using Zoom and Teams – both of which have glaring security issues – when there are open source alternatives like Big Blue Button which can be self hosted and where there’s an army of idealistic developers constantly looking for flaws and shipping patches? (It’s not perfect, but it seems to be holding up pretty well).

Or why do we even consider storing sensitive data on AWS – which has had its fair share of nasty breaches – when there are perfectly good alternatives such as Next Cloud which lets you spin up private clouds?

To be sure, a private cloud can be hacked just as well as a public one. All things equal however, a private cloud (or an on-premise installation of an app) is still inherently the more secure choice, since data live on your servers. Meaning no foreign intelligence agency can demand to have back doors opened to access it.

To go on: Why do we use Windows instead of Linux even though professionals agree that the latter alternative is superior from a security point of view?

Why do we use Slack when an on-premise installation of the open source alternative Mattermost is a *clear* winner when it comes to security?

Why do we keep making these perfectly irrational choices? It would be nice if the whole issue boiled down to some mindful trade-off. Like: we use the software that offers the best UX, even at the price of weaker security, for example.

Suffice to compare the solid user experience of iOS to that of Android – which sends 20 times more data to Google than an iPhone does to Apple – to realise that this is not the case.

So again, why?

Why indeed… An old bible quote comes to mind:

I do not understand what I do. For what I want to do, I do not do. But what I hate, I do.

Romans, 7:15

When the real truth starts seeping in, it feels like one of those detective stories where you realise in hindsight that the clues were there in plain view for anyone who cared to really look. In fact there’s no big mystery, there’s just the very human tendency to resist change.

We’re in this mess because that’s where the evolution of enterprise software has left us. We know how to get to a better place, at least in theory, but it’s just *so* much hard work.

And even if we did take on all that work, which would probably take just as much of an effort as honouring the Paris agreement, it wouldn’t be enough of course. We’d have created a much more resilient digital infrastructure, for sure, but that would just mean the end of the beginning, to quote Churchill. From there on out, we would have to get *real* innovative and push the envelope. Because there’s so much more to be done. From coming up with new business models to support open core projects, to creating safe ways to train AI models on sensitive data. The list goes on, but that’s the topic of a different post.